Feature |
Product |
Release introduced |
---|---|---|
Unicast Reverse Path Forwarding (URPF) checking (IPv4) |
5320 Series |
Fabric Engine 8.6 5320-48P-8XE and 5320-48T-8XE only |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
Unicast Reverse Path Forwarding (URPF) checking (IPv6) |
5320 Series |
Fabric Engine 8.6 5320-48P-8XE and 5320-48T-8XE only |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
The Unicast Reverse Path Forwarding (uRPF) feature prevents packet forwarding for incoming unicast IP packets that have incorrect or forged (spoofed) IP addresses. The uRPF feature checks that the traffic received on an interface comes from a valid IP address, thereby preventing address spoofing. On a reverse path check, if the source IP address of the received packet at the interface is not reacheable using the FIB, the system drops the packet as the packet may have originated from a misconfigured or a malicious source.
You can configure uRPF for each IP interface or VLAN. When uRPF is enabled on an interface, the switch checks all routing packets that come through that interface. It ensures that the system displays the source address and source interface in the routing table, and that it matches the interface, on which the packet was received.
Strict mode: In strict mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. If the incoming interface is not the best reverse path, the packet check fails and uRPF drops the packet. If the routing engine finds the source IP entry, uRPF further checks if the source IP interface matches the incoming interface of the packet. If they match, the system forwards the packet as usual, otherwise, the system discards the packet.
Note
The number of packets dropped due to uRPF check on the ingress interface
gets incremented along with other general dropped statistics under the
IN-DISCARD column in the output of the command
show
interfaces gigabitEthernet error <collision|verbose>
{slot/port[-slot/port][,...]}.
Loose mode: In loose mode, uRPF checks whether the source IP address of the incoming packet exists in the FIB. The packet is dropped only if the source address is not reachable via any interface on that router.
uRPF can be enabled independently for IPv4 and IPv6. However, on a given interface, if uRPF is enabled for both IPv4 and IPv6, the urpf-mode can be either strict-mode or loose-mode for both IPv4 and IPv6. That means we cannot have IPv4 urpf-mode configured differently than that of IPv6.
Note
Note
uRPF check cannot detect spoofed source IP address if the source IP address belongs to a known subnet.